topic Re: Permissions of user-ID service account for wmi and netbios probing in General Topics

Permissions of user-ID service account for wmi and netbios probing

faizankhurshid — Sat, 17 Mar 2018 08:44:08 GMT

Hi All

As I know to read the logs from DC, "Event Log Readers" permission is required for service account.

For WMI probing to clients, I need all below (please correct me if I am wrong)

1- Service account permission should be "Server Operators" in AD to read the CIMV2 namespace on the client systems

2- Give proper permission to the service account for WMI CIMv2 on each client system by using wmimgmt.msc

3- Make sure the Windows firewall will allow client probing by adding a remote administration exception to the Windows firewall for each probed client

Questions:

- For point 2, this need to be done on each client system individually or can be done through GPO? I have more than 7000 users in network

- By default wmi probing is done by user-ID agent against only the clients? NOT against AD servers?

- For netbios probing, what permissions are required for service account?

Re: Permissions of user-ID service account for wmi and netbios probing

Remo — Sat, 17 Mar 2018 18:33:56 GMT

Hi @faizankhurshid

@faizankhurshidwrote:

- For point 2, this need to be done on each client system individually or can be done through GPO? I have more than 7000 users in network

Unfortunately no, it is not possible with GPOs, but you can do it with admin logon or startup scripts (like in the example here: https://blogs.msdn.microsoft.com/spatdsg/2007/11/21/set-wmi-namespace-security-via-gpo-script/)

@faizankhurshidwrote:
- By default wmi probing is done by user-ID agent against only the clients? NOT against AD servers?

It depends. To avoid these probes to servers you need to carefully set all the user-ID settings. For example if you have a zone enabled for user identification. In this zone you have 2 networks: 192.168.0.0/24 for clients and 192.168.1.0/24 for servers. By default, if you do not set the User-ID include or exclude networks in the zone configuration, and there is a connection from a server without existing user-ip mapping, then the firewall will probe that IP to try to get a user-ip mapping. So you need to make sure, that you set all the IP ranges where you expect users to avoid probes to be sent to servers.

@faizankhurshidwrote:

- For netbios probing, what permissions are required for service account?

A quote from (a quite old) user-id best practice document: "NetBIOS probes have no authentication and do not require any specific group membership of the Agent account." Source: https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/ConfigurationArticles/1348/1/User-ID_Best%20Practices-6.pdf

Regards,

Remo

Re: Permissions of user-ID service account for wmi and netbios probing

faizankhurshid — Mon, 26 Mar 2018 07:59:01 GMT

@Remo thanks. Last question, for netbios probing is also done against clients ? I need to know how netbios probing works for getting the user-ip mapping.

Thanks

Re: Permissions of user-ID service account for wmi and netbios probing

Remo — Mon, 26 Mar 2018 16:01:35 GMT

Hi @faizankhurshid

Netbios probing is primarily for probing clients, as you probably don't have that much users on servers. How it actually works is magic by microsoft ... a better explenation you can finde for example here: http://techgenix.com/nbtstatrevealswhoisloggedon/